[cryptography] Must have seemed like a good idea at the time

Karsten Nohl nohl at virginia.edu
Tue Jul 23 16:12:11 EDT 2013


On Jul 22, 2013, at 7:48 , ianG <iang at iang.org> wrote:

> On 22/07/13 02:27 AM, James A. Donald wrote:
>> On 2013-07-22 9:01 AM, Randall Webmail wrote:
>>> 
>>> [SNIP]
>>> To derive a DES OTA key, an attacker starts by sending a binary SMS to
>>> a target device. The SIM does not execute the improperly signed OTA
>>> command, but does in many cases respond to the attacker with an error
>>> code carrying a cryptographic signature, once again sent over binary
>>> SMS.
> 
> Wait -- using the same signing DES key as that which it uses to accept the OTA (over-the-air) java applet???

The key use is indeed fully symmetric -- the same key is used to sign messages in both directions.

>>> A rainbow table resolves this plaintext-signature tuple to a
>>> 56-bit DES key within two minutes on a standard computer.
> 
> OK, but how does one acquire the rainbow table?  Does one have to send 2^64 attempts to the SMS, and does it shut down after the 3rd ... or did they forget that part too?

The plaintext of the error messages is predictable among a small set of possible values. A rainbow table computes the signature one one of these texts for (some of) the 2^56 possible keys. Computing tables for the relevant plaintexts with reasonable coverage after removing mergers takes the equivalent computing time of a handful of brute force computations. Each lookup thereafter is on the order of a few billion DES operations.

Cheers,

     -Karsten



More information about the cryptography mailing list